diff --git a/samples/curve-negotiation/client.lua b/samples/curve-negotiation/client.lua new file mode 100644 index 0000000..42dff42 --- /dev/null +++ b/samples/curve-negotiation/client.lua @@ -0,0 +1,28 @@ +-- +-- Public domain +-- +local socket = require("socket") +local ssl = require("ssl") + +local params = { + mode = "client", + protocol = "any", + key = "../certs/clientAkey.pem", + certificate = "../certs/clientA.pem", + cafile = "../certs/rootA.pem", + verify = {"peer", "fail_if_no_peer_cert"}, + options = {"all"}, + -- + curve = "P-256:P-384", +} + +local peer = socket.tcp() +peer:connect("127.0.0.1", 8888) + +-- [[ SSL wrapper +peer = assert( ssl.wrap(peer, params) ) +assert(peer:dohandshake()) +--]] + +print(peer:receive("*l")) +peer:close() diff --git a/samples/curve-negotiation/server.lua b/samples/curve-negotiation/server.lua new file mode 100644 index 0000000..5fd4724 --- /dev/null +++ b/samples/curve-negotiation/server.lua @@ -0,0 +1,37 @@ +-- +-- Public domain +-- +local socket = require("socket") +local ssl = require("ssl") + +local params = { + mode = "server", + protocol = "any", + key = "../certs/serverAkey.pem", + certificate = "../certs/serverA.pem", + cafile = "../certs/rootA.pem", + verify = {"peer", "fail_if_no_peer_cert"}, + options = {"all"}, + -- + curve = "P-384:P-256:P-521", +} + + +-- [[ SSL context +local ctx = assert(ssl.newcontext(params)) +--]] + +local server = socket.tcp() +server:setoption('reuseaddr', true) +assert( server:bind("127.0.0.1", 8888) ) +server:listen() + +local peer = server:accept() + +-- [[ SSL wrapper +peer = assert( ssl.wrap(peer, ctx) ) +assert( peer:dohandshake() ) +--]] + +peer:send("oneshot with curve negotiation test\n") +peer:close() diff --git a/src/context.c b/src/context.c index 4187314..f642f34 100644 --- a/src/context.c +++ b/src/context.c @@ -574,6 +574,24 @@ static int set_curve(lua_State *L) long ret; SSL_CTX *ctx = lsec_checkcontext(L, 1); const char *str = luaL_checkstring(L, 2); + + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); + +#if defined(SSL_CTRL_SET_ECDH_AUTO) || defined(SSL_CTRL_SET_CURVES_LIST) + if (SSL_CTX_set1_curves_list(ctx, str) != 1) { + lua_pushboolean(L, 0); + lua_pushfstring(L, "unknown elliptic curve in \"%s\"", str); + return 2; + } + +#ifdef SSL_CTRL_SET_ECDH_AUTO + SSL_CTX_set_ecdh_auto(ctx, 1); +#endif + + lua_pushboolean(L, 1); + return 1; + +#else /* !defined(SSL_CTRL_SET_CURVES_LIST) */ EC_KEY *key = find_ec_key(str); if (!key) { @@ -594,6 +612,7 @@ static int set_curve(lua_State *L) } lua_pushboolean(L, 1); return 1; +#endif /* defined(SSL_CTRL_SET_CURVES_LIST) */ } #endif